In recent years, identity theft has emerged as one of the major security issues facing business enterprises. With the increase in the digitization of credentials (as well as in the use of IT applications) for day-to-day activities, identity theft has become quite common in India. Therefore, enterprises need to set up an efficient system or framework to prevent identity theft. This tip will examine proactive as well as reactive ways to prevent identity theft; we will also highlight some of the mistakes to avoid, and list a few best practices in the field.
More stories on Identity theft
Identity & Access Management (IAM): Authentication and authorization are commonly-used controls to prevent identity theft. These mostly deal with validating the answers to two questions: Who are you? and What accesses do you have?
Using IAM solutions is one of the proactive ways to prevent identity theft. These solutions define and modify user access rights using a centralized mechanism; they also monitor the authorization based on these rights. There are primarily three factors which can be used for authentication of an individual something you have, something you are, and something you know. For example, accessing your account through an ATM uses two factors of authentication for prevention of identity theft: the PIN (something you know) and ATM card (something you have).
Enterprises can have granular access controls for operating systems and storage devices. Its possible to define detailed access levels for users (such as create, modify and delete) at the record level to prevent identity theft. You may also need a privilege access management solution which allows users access for a particular duration one which monitors and records the event during this duration.
Content Access Management (CAM): CAM embraces technologies which provide protection to structured and unstructured data within or outside the confines of a system that provides access management capabilities (native or externalized) such as:
Encryption: This technology to prevent identity theft can be applied to data at rest within an organizations networks or on notebook PCs; it can also be applied to data in motion. File encryption is typically the least expensive way to protect documents from unauthorized insiders, including system administrators. Encrypted files can be emailed or placed on servers as part of the identity theft prevention strategy.
Enterprise digital rights management: This can be applied to enterprise messaging, documents and other intellectual property to protect against intellectual property loss. It can also protect your business from inappropriate (or unintended) disclosure of proprietary or confidential enterprise information.
Network Access Control: You can leverage access control at the network level to authenticate at the packet level. Network Access Control regulates access to a network with the help of security policies. Policies outline the security configurations which network administrators wish to enforce as a pre-requisite for network access. These include pre-admission endpoint security policy checks and post-admission controls over users and devices on a network. Integrating Network Access Control with IAM enables enterprises to enforce user access based on the authorization and access privileges defined in an authentication server or directory service.
Reactive ways to prevent identity theft include controls to monitor and manage security incidents and events. These include:
Security Incident & Event Management: This identity theft prevention technique involves correlating information from logs, incident monitoring, and raising alerts.
Log management: Such techniques involve creation of a dashboard for compliance reporting using enterprise logs.
Here are some useful guidelines and methods that can be used to prevent identity theft.
1) Chart out the enterprise identity vision by defining objectives and assessing criticality.
2) Define the scope by doing a technical assessment of the IT infrastructure. Once this is through, conduct a complete risk assessment of the IT systems being secured as part of the exercise to prevent identity theft.
3) Before implementing any IAM system, decide what data the organization wants to protect, who owns that data, and how it fits into the organizations data classification policy.
4) Check the compatibility of the IAM system with the current network and IT systems.
5) Verify the scope of scalability as the business grows.
6) Define the roles and accesses (role engineering and role-based access controls) before defining the IAM program.
7) Adopt more effective application-screening procedures.
8) Have procedures to isolate the cause to prevent an outbreak.
9) Administer security measures via regular audits.
10) Implement responsible information-handling practices.
An increasing number of identity theft cases are being traced back to disgruntled employees who obtain sensitive personal information of other employees and customers. Such information is either used for theft or disclosure to someone else (who can act on their behalf). One of the ways to prevent identity theft is to safeguard personal information within the workplace. Some of the practices enterprises can undertake may be viewed at http://www.privacyrights.org/ar/PreventITWorkplace.htm
About the author: Nilesh Shirke is the IAM Practice Head at Tech Mahindra. He heads the consulting practice, which consists of more than 70 IAM consultants.
(As told to Dhwani Pandya)